Computer Science

Computer Science ›› 2025, Vol. 52 ›› Issue (4): 343-351.doi: 10.11896/jsjkx.240800043

;

• Information Security • Previous Articles     Next Articles

Persistent Backdoor Attack for Federated Learning Based on Trigger Differential Optimization

JIANG Yufei, TIAN Yulong, ZHAO Yanchao   

  1. School of Computer Science and Technology,Nanjing University of Aeronautics and Astronautics,Nanjing 211106,China
  • Received:2024-08-06 Revised:2024-09-26 Online:2025-04-15 Published:2025-04-14
  • About author:JIANG Yufei,born in 2000,postgra-duate.Her main research interests include backdoor attack and federated learning.
    ZHAO Yanchao,born in 1985,Ph.D supervisor,is a member of CCF(No.24833S).His main research interests include edge computing and processing,wireless sensing and optimization.
  • Supported by:
    National Natural Science Foundation of China(62172215) and A3 Foresight Program of NSFC(62061146002).

PDF (PC)

165

Abstract: The distributed nature of federated learning allows each client to train the model while maintaining data independence,but this also allows attackers to control or mimic some clients to launch backdoor attacks by implanting carefully designed fixed triggers to manipulate the model output.The effectiveness and persistence of triggers are important criteria for measuring attack effectiveness.Effectiveness pertains to the rate of successful breaches,while persistence embodies the capability to sustain a high success rate even after the cessation of the attack.At present,research on effectiveness has been relatively in-depth,but maintaining the persistence of triggers remains a challenging issue.A backdoor attack method based on dynamic optimization triggers is proposed to extend the persistence of triggers.Firstly,during dynamic updates in federated learning,triggers are synchronously optimized to minimize the difference between the potential representations of trigger features during and after attacks,thereby training the global model's ability to remember trigger features.Secondly,using redundant neurons as an indicator of the success of implanting backdoors to adaptively add noise and enhance the effectiveness of attacks.Extensive experiments on the MNIST,CIFAR-10,and CIFAR-100 datasets have shown that the proposed scheme effectively extends the persistence of triggers in fede-rated learning environments.Under five kind of representative defense systems,the success rate of attacks is higher than 98%,especially after more than 600 rounds of attacks on the CIFAR-10,the success rate of attacks still exceeds 90%.

Key words: Federated learning, Backdoor attack, Dynamic trigger, Attack persistence, Model security

CLC Number: 

  • TP309
[1]ZENG X,CAO K,ZHANG M.MobileDeepPill:A small-foot-print mobile deep learning system for recognizing unconstrained pill images[C]//Proceedings of the 15th Annual Internation Conference on Mobile Systems,Applications,and Services.New York:ACM,2017:56-67.
[2]RAN X K,CHEN H L,ZHU X D,et al.Deepdecision:A mobile deep learning framework for edge video analytics[C]//Procee-dings of the 37th IEEE Conference on Computer Communications.Piscataway,NJ:IEEE,2018:1421-1429.
[3]LIU L Y,LI H Y,MARCO G.Edge assisted real-time object de-tection for mobile augmented reality[C]//Proceedings of the 25th Annual Internation Conference on Mobile Computing and Networking.New York:ACM,2019:1-16.
[4]KONECˇNY′ J,MCMAHAN B,RAMAGE D.Federated optimization:Distributed optimization beyond the datacenter[J].ar-Xiv:1511.03575,2015.
[5]MCMAHAN B,MOORE E,RAMAGE D,et al.Communica-tion-efficient learning of deep networks from decentralized data[C]// Proceedings of the 20th Internation Conference on Artificial Intelligence and Statistics.New York:PMLR,2017:1273-1282.
[6]BONAWITZ K,EICHNER H,GRIESKAMP W,et al.Towards federated learning at scale:system design[J].arXiv:1902.01046,2019.
[7]LIU Y,FAN T,CHEN T J,et al.FATE:an industrial gradeplatform for collaborative learning with data protection[J].Journal of Machine Learning Research,2021,22(226):1-6.
[8]SONG M K,WANG Z B,ZHANG Z F,et al.Analyzing user-level privacy attack against federated learning[J].IEEE Journal on Selected Areas in Communications,2020,38(10):2430-2444.
[9]BAGDASARYAN E,VEIT A,HUA Y Q,et al.How to backdoor federated learning[C]//Proceedings of Internation Confe-rence on Artificial Intelligence and Statistics.Cambridge,MA:MIT Press,2020:2938-2948.
[10]LI H Y,YE Q Q,HU H B,et al.3dfed:Adaptive and extensible framework for covert backdoor attack in federated learning[C]//Proceedings of the 44th IEEE Symp on Security and Privacy.Piscataway,NJ:IEEE,2023:1893-1907.
[11]BHAGOJI A,CHAKRABORTY S,MITTAL P,et al.Analy-zing federated learning through an adversarial lens[C]//Proceedings of Internation Conference on Artificial Intelligence and Statistics.Cambridge,MA:MIT Press,2019:634-643.
[12]XIE C L,HUANG K L,CHEN P Y,et al.DBA:Distributed backdoor attacks against federated learning[C]//Proceedings of the 7th Internation Conference on Learning Representations.2019.
[13]WANG H Y,SREENIVASAN K,RAJPUT S,et al.Attack of the tails:Yes,you really can backdoor federated learning [C]//Proceeding of the 34th Annual Conference on Neural Information Prosessing Systems.Massachusetts:MIT Press,2020:16070-6084.
[14]FANG P,CHEN J H.On the Vulnerability of Backdoor Defenses for Federated Learning[C]//Proceedings of the 37th AAAI Conference on Artificial Intelligence.Palo Alto,CA:AAAI Press,2023:11800-11808.
[15]ZHANG H F,JIA J Y,CHRN J H,et al.A3fl:Adversariallyadaptive backdoor attacks to federated learning[C]//Proceedings of the 36th Annual Conference on Neural Information Prosessing Systems.Massachusetts:MIT Press,2023:61213-61233.
[16]QIAO Y Q,LIU D Z,CHEN C W,et al.FTA:Stealthy andAdaptive Backdoor Attack with Flexible Triggers on Federated Learning[J].arXiv:2309.00127,2023.
[17]LIU T,ZHANG Y H,FENG Z,et al.Beyond traditionalthreats:A persistent backdoor attack on federated learning [C]//Proceedings of the 38th AAAI Conference on Artificial Intelligence.Palo Alto,CA:AAAI Press,2024:21359-21367.
[18]RIEGER P,NGUYEN D,MIETTINEN M,et al.Deepsight:Mitigating backdoor attacks in federated learning through deep model inspection[J].arXiv:2201.00763,2022.
[19]WANG Y K,ZHAI D H,ZHAN Y G,et al.Rflbat:A robust federated learning algorithm against backdoor attack[J].arXiv:2201.03772,2022.
[20]SUN Z T,PETER K,ANANDA T,et al.Can you really backdoor federated learning?[J].arXiv:1911.07963,2019.
[21]FUNG C,YOON C J M,BESCHASTNIKH I.The limitations of federated learning in sybil settings [C]//Proceedings of the 23rd Internation Symposium on Research in Attacks,Intrusions and Defenses.Berlin:Springer,2020:301-316.
[22]ZHOU X C,XU M,WU Y M,et al.Deep model poisoning attack on federated learning[J].Future Internet,2021,13(3):73.
[23]HSU T,QI H,BROWN M.Measuring the effects of non-identical data distribution for federated visual classification[J].arXiv:1909.06335,2019.
[1] WANG Yifei, ZHANG Shengjie, XUE Dizhan, QIAN Shengsheng. Self-supervised Backdoor Attack Defence Method Based on Poisoned Classifier [J]. Computer Science, 2025, 52(4): 336-342.
[2] LUO Zhengquan, WANG Yunlong, WANG Zilei, SUN Zhenan, ZHANG Kunbo. Study on Active Privacy Protection Method in Metaverse Gaze Communication Based on SplitFederated Learning [J]. Computer Science, 2025, 52(3): 95-103.
[3] HU Kangqi, MA Wubin, DAI Chaofan, WU Yahui, ZHOU Haohao. Federated Learning Evolutionary Multi-objective Optimization Algorithm Based on Improved NSGA-III [J]. Computer Science, 2025, 52(3): 152-160.
[4] WANG Ruicong, BIAN Naizheng, WU Yingjun. FedRCD:A Clustering Federated Learning Algorithm Based on Distribution Extraction andCommunity Detection [J]. Computer Science, 2025, 52(3): 188-196.
[5] WANG Dongzhi, LIU Yan, GUO Bin, YU Zhiwen. Edge-side Federated Continuous Learning Method Based on Brain-like Spiking Neural Networks [J]. Computer Science, 2025, 52(3): 326-337.
[6] XIE Jiachen, LIU Bo, LIN Weiwei , ZHENG Jianwen. Survey of Federated Incremental Learning [J]. Computer Science, 2025, 52(3): 377-384.
[7] ZHENG Jianwen, LIU Bo, LIN Weiwei, XIE Jiachen. Survey of Communication Efficiency for Federated Learning [J]. Computer Science, 2025, 52(2): 1-7.
[8] LIU Yuming, DAI Yu, CHEN Gongping. Review of Federated Learning in Medical Image Processing [J]. Computer Science, 2025, 52(1): 183-193.
[9] WANG Xin, XIONG Shubo, SUN Lingyun. Federated Graph Learning:Problems,Methods and Challenges [J]. Computer Science, 2025, 52(1): 362-373.
[10] DUN Jingbo, LI Zhuo. Survey on Transmission Optimization Technologies for Federated Large Language Model Training [J]. Computer Science, 2025, 52(1): 42-55.
[11] LI Zhi, LIN Sen, ZHANG Qiang. Edge Cloud Computing Approach for Intelligent Fault Detection in Rail Transit [J]. Computer Science, 2024, 51(9): 331-337.
[12] GAN Run, WEI Xianglin, WANG Chao, WANG Bin, WANG Min, FAN Jianhua. Backdoor Attack Method in Autoencoder End-to-End Communication System [J]. Computer Science, 2024, 51(7): 413-421.
[13] ZHOU Tianyang, YANG Lei. Study on Client Selection Strategy and Dataset Partition in Federated Learning Basedon Edge TB [J]. Computer Science, 2024, 51(6A): 230800046-6.
[14] SUN Min, DING Xining, CHENG Qian. Federated Learning Scheme Based on Differential Privacy [J]. Computer Science, 2024, 51(6A): 230600211-6.
[15] TAN Zhiwen, XU Ruzhi, WANG Naiyu, LUO Dan. Differential Privacy Federated Learning Method Based on Knowledge Distillation [J]. Computer Science, 2024, 51(6A): 230600002-8.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
Add:18# Honghu West Rd., Yubei ,Chongqing,China    Post Code: 401121
Tel: 023-63500828/023-67039612/023-67039623
E-mail: jsjkx12@163.com
Powered by Beijing Magtech Co., Ltd.